Detailed analysis of Linux proxy server and firewall configuration

Article title: detailed analysis of Linux proxy server and firewall configuration. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Proxy/firewall

1. iptables rule table

Filter (for filtering systems): INPUT, FORWARD, OUTPUT

NAT (for address translation systems): PREROUTING, POSTROUTING, INPUT, and OUTPUT

Mangle (for policy routing and special applications): OUTPUT and POSTROUTING

2. installation package

Iptables-1.2.7a-2

3. configure the firewall

1) command syntax

Usge: iptables [-t table]-[ADC] chain rule-specification [options]

Iptables [-t table]-I chain [rulenum] rule-specification [options]

Iptables [-t table]-R chain rulenum rule-specification [options]

Iptables [-t table]-D chain rulenum [options]

Iptables [-t table]-[LFZ] [chain] [options]

Iptables [-t table]-N chain

Iptables [-t table]-X [chain]

Iptables [-t table]-P chain target [options]

Iptables [-t table]-E old-chain-name new-chain-name

Rule operation parameters:

-A: add one or more rules at the end of the selected chain;

-D: delete one or more rules from the selected chain. There are two methods: specify the deleted rule as the serial number in the chain (the first serial number is 1) or the rule to be matched;

-R: replace a rule from the selected chain. If the source address or destination address is converted to multiple addresses, the command fails. The rule sequence number starts from 1;

-I: insert one or more rules to the selected chain based on the given sequence number. Therefore, if the rule number is 1, the rule inserts the chain header. This is the default method when no rule serial number is specified;

-L: all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, which means the chain will be automatically listed and zeroed;

-F: clears the selected chain. This means that all rules are deleted one by one;

-Z: clears the packets and byte counters of all links;

-N: creates a new user-defined chain based on the given name. This must ensure that no chain with the same name exists;

-X: deletes a specified user-defined chain. This chain must not be referenced. if it is referenced, the relevant rules must be deleted or replaced before deletion. If no parameter is provided, this command will try to delete each non-built chain;

-P: set the target rule of the chain;

-E: re-name the specified chain based on the name given by the user;

Description of Rule definition parameters:

-P [!] Protocol:

Protocol for rule or package check (to be checked. The specified protocol can be either one or all of TCP, UDP, or ICMP, or a numerical value, representing one of these protocols. You can also use the protocol name defined in/etc/protocols. Add "! "Indicates the opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. When combined with the check command, all can be disabled;

-S [!] Address [/mask]:

Specifies the source address, which can be the host name, network name, and clear IP address. The mask can be a network mask or a clear number. specify the number of "1" on the left of the network mask. Therefore, the value of the mask is 24 or 255.255.255.0. Add "! "Indicates that the opposite address segment is specified. Flag -- src is short for this option;

-D [!] Address [/mask]:

Specify the target address. For more information, see the description of the-s flag. Flag-dst is short for this option;

-J target:

Specify the target of the rule: that is, what the package matching should do. The target can be ACCEPT (through), DROP (delete), RETURN (RETURN), REDIRECT (repointing), SNAT (source address conversion), DNAT (target address conversion), MASQUERADE (camouflage), or user-defined chain. If the rule option is ignored, the matching process will not affect the package, but the rule counter will increase;

-I [!] [Name]:

The name of the API of the acceptable package to be selected. the package is received through this API (the package entered in the chain INPUT, FORWORD, and PREROUTING ). Before the interface name, use "! "After description, it refers to the opposite name. if" + "is added after the interface name, all interfaces starting with the next interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched;

-O [!] [NAME]:

This is the optional exit name sent by the package through this interface, and the package is OUTPUT through this port (the package sent in the chain FORWARD, OUTPUT, and POSTROUTING ). Other settings are the same as above.

2) matching rule extension options:

Tcp: when-p tcp is specified and no other matching extensions are specified, these extensions are loaded.

-- Source-port [!] [Port [: port]:

Specifies the source port or port range. It can be a service name or port number. Format Port: you can specify the port range. If the first port number is ignored, the default value is 0. if the end port number is ignored, the default value is 65535. if the second port number is greater than the first port number, they are switched. You can use the -- sport alias for this option;

-- Destionation-port [!] [Port: [port]:

Specify the target port or port range. This option can be replaced by the -- dport alias;

-- Tcp-flags [!] Mask comp:

Matches the specified TCP tag. The first parameter is the tag to be checked, a list separated by commas, and the second parameter is a tag table separated by commas, which must be set. Tags include SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), and PSH (sent) ALLNONE.

Command iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, and rst syn only match those packets with the SYN flag but without the ACK, FIN, and RST flag.

Udp: when-p icmp is specified and no other matching extensions are specified, these extensions are loaded.

-- Icmp-type [!] Typename: This option allows you to specify the ICMP type. it can be a numeric ICMP type, or an icmp type name displayed by the command "iptables-p ICMP-h.

Mac:

-- Mac-source [!] Address: match the physical address. The format must be XX: XX. Note that it is only valid for packets from the Ethernet device that enter the PREROUTING, FORWORD, and INPUT chains.

Limit: This module matching flag is used to mark the network data passing rate. it is used in combination with the LOG target to provide a limited number of logins. When this limit is reached, the rules that use this extension package will match. (Unless used! Tag). its extension options include:

-- Limit rate: the maximum average matching rate. value options include "/second", "/minute", "/hour", and "/day, the default value is "3/hour ";

-- Limit-burst number: maximum initial number of packages to be matched. If the limit previously specified does not reach this value, add 1 to the number. The default value is 5.

Multiport: This module matches a group of source or target ports. up to 15 ports can be specified. It can only be used with-p tcp or-p udp:

-- Source-port [port [, port]: if the source port is a given port, it will match;

-- Destination-port [port [, port]: if the target port is one of the given ports, it will match;

-- Port [port [, port]: if the source port and destination port are the same and are the same as a given port, then match.

Owner: this extension is the creator of the locally generated package matching package and can only be used for the OUTPUT chain. In addition, some packages (such as ICMP ping response) may not have owners, so they will never match:

-- Uid-owner userid: if a valid user id is provided, the package generated by the process is matched;

-- Gid-owner groupid: if a valid group id is provided, it matches the package generated by the process;

-- Sid-owner sessionid: matches the packets generated by the process based on the given session composition.

REJECT: return an incorrect package as a response to the matched package. In other cases, it is the same as DROP. This target applies only to INPUT, FORWARD, and OUTPUT chains, and user-defined chains that call these chains. These options control the returned error package features:

-- Reject-with type: the types can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-porto-unreachable, icmp-net-prohibited, or icmp-host-prohibited., this type will return the corresponding ICMP error message (default: port-unreachable ). The echo-reply option is also allowed. it can only be used to generate a ping response in the rule that specifies the ICMP ping packet.

SNAT: this target only applies to the POSTROUTING chain of the nat table. It specifies to modify the source address of the package (all packages will be affected after this connection) and stop checking the rule:

-- To-source [ ] [: Port-port]:

You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If the port range is not specified, the port with the source port below 512 is arranged as another port with the source port below 512; the port between 512 and 1024 is arranged as the port with the source port below 1024, other ports are scheduled to be 1024 or above. If possible, the port will not be modified;

-- To-destiontion [ ] [: Port-port]:

You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If no port range is specified, the target port is not modified.

MASQUERADE: used only for the POSTROUTING chain of the nat table. It can only be used to dynamically obtain ip (dial-up) connections: If you have a static ip address, you must use SNAT. Disguise is equivalent to setting an image for the IP address of the interface through which the packet is sent. when it is closed, the connection is terminated. This is because the current dial-up may not be the same interface address (all established connections will be closed in the future ). He has an option:

-- To-ports [ ]: Specifies the source port range used to overwrite the default SNAT source address selection. This option applies only to rules with-p tcp or-p udp specified.

REDIRECT: only applies to PREROUTING and OUTPUT chains of nat tables, and only calls their user-defined chains. He modifies the target IP address of the package to send the package to the machine itself (the locally generated package is placed as the address 127.0.0.1), which includes an option:

-- To-ports [ ]: Specify the target port or port range. If this parameter is not specified, the target port is not modified. Only rules with-p tcp or-p udp can be specified.

3) packet filtering settings

[1] [2] [3] [4] [5] Next page